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Anonymous and Adaptively Secure Revocable 
IBE with Constant-Size Public Parameters 

Jie Chen*, Hoon Wei Lim, San Ling, Le Su and Huaxiong Wang 



Abstract 



^ I In Identity-Based Encryption (IBE) systems, key revocation is non-trivial. This is because a user's identity is 

' itself a public key. Moreover, the private key corresponding to the identity needs to be obtained from a trusted key 

■ authority through an authenticated and secrecy protected channel. So far, there exist only a very small number of 

revocable IBE (RIBE) schemes that support non-interactive key revocation, in the sense that the user is not required to 
interact with the key authority or some kind of trusted hardware to renew her private key without changing her public 
key (or identity). These schemes are either proven to be only selectively secure or have public parameters which 
grow linearly in a given security parameter. In this paper, we present two constructions of non-interactive RIBE that 



t/3 . 

^ _ satisfy all the following three attractive properties: (i) proven to be adaptively secure under the Symmetric External 

Diffie-Hellman (SXDH) and the Decisional Linear (DLIN) assumptions; (ii) have constant-size public parameters; 
and (iii) preserve the anonymity of ciphertexts — a property that has not yet been achieved in all the current schemes. 



Index Terms 

Dual System Encryption, Functional Encryption, Identity-Based Encryption, Key Revocation 

I. Introduction 

Identity-based encryption (IBE) allows one's identity to be directly used as a public key ||29L I61 I12[1 . This obviates 
the need for a public key certificate that attests the binding between the identity and a (seemingly) random key, as 
in the case of more conventional certificate-based public -key systems. Thus, IBE systems have simpler public key 
management than that of certificate-based systems. In IBE, however, a private key (corresponding to an identity) 
needs to be generated by a trusted key authority. This and the fact that a user's identity is itself a public key 
complicates key renewal or revocation — one cannot simply change her public key, as this changes her identity as 



well. While there has been a great deal of work on IBE in recent years, see for example 07, 
not much work has been devoted to key revocation. 
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One direct way to alleviate the key revocation problem in the IBE setting is to maintain a revocation list by some 
trusted third party. A sender checks on the trusted third party and just stops to encrypt messages if the corresponding 
receiver is revoked. However, this direct model requires the trusted third party to keep online in order to respond 
any sender's real time checking query. To address this problem, one simple solution is to append a validity period 
to a target identity during encryption ||6t]. This results in a public key with a limited validity period, and hence, 
restricting the window of exposure should the corresponding private key is compromised. If the validity period is 
sufficiently short, one may not require an explicit key revocation mechanism since an exposed private key is of 
little value to an adversary beyond the specified validity period. However, one major drawback of this approach is 
that each user has to periodically renew her private key. As a consequence, the key authority's workload increases 
Unearly in the number of non-revoked users. Further, we must ensure that each transmission of a new private key 
between the key authority and a non-revoked user is performed through some form of authenticated and secure 
channel. There exist some improved key revocation techniques in the literature, for example lfl9l [isl . However, 
they require interactions either between the user and the key authority, as before, or between the user and some 
kind of trusted hardware. These may not always be practical. 

The first non-interactive, revocable IBE (RIBE) scheme that neither presupposes the existence of trusted hardware 

n 

nor requires a secure channel between the user and the key authority, is due to Boldyreva et al. [5]. Their scheme 



borrows the concept of fuzzy IBE (FIBE) II28I1 in which encryption of a message is associated with two "attributes", 
namely identity of the receiver and time period. The corresponding decryption key is also split into two private 
components, matching the identity and the time period, respectively. The private component that corresponds to the 
identity is essentially similar to a regular private key in IBE and it is issued to a user by the key authority through 
a secure channel. On the other hand, the private key component corresponding to the time period is regarded as a 
key update and is published by the key authority to all users. (Here the key update is public information and does 
not require secrecy protection.) Thus, to revoke a user, the key authority simply stops distributing the key update 
for that user. To reduce the number of key updates to be performed by the key authority, Boldyreva et al. organize 



and relate users' key updates in a binary tree y, 



2211 ■ Briefly speaking, each node of the tree is assigned some 



key material and each user is assigned to a leaf node in the tree. Upon registration, the key authority computes 
and provides the user with a set of distinct private keys (corresponding to its identity) based on the key material 
for each node in the path from the leaf node corresponding to that user to the root node. To be able to decrypt 
a ciphertext associated with time t, the user needs just one key update (corresponding to t) computed on the key 
material associated to any of the nodes on the path from the leaf node of the user to the root node. Thus, when no 
user is revoked, the key authority publishes just the key update computed on the key material of the root node. When 
a subset of the users is revoked, the key authority first finds the minimal set of nodes in the tree which contains 
an ancestor (or, the node itself) among all the leaf nodes corresponding to non-revoked users. The key authority 
then distributes the key updates for only this set. This way, every update of the revocation list only requires the key 
authority to perform logarithmic work in the maximal number of users and linear in the number of revoked users. 
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A. Previous Non-Interactive RIBE Constructions 

' — I 

Although an adaptive-ID secure IBE scheme |30] (which is resihent even against an adversary that is allowed 
to adaptively select an identity as the attack target based on the responses to the adversary's queries in a security 
game) has been in existence for some years, constructing an RIBE scheme with equivalent security guarantee is 
non-trivial. This is evident from the first RIBE scheme proposed by Boldyreva et al. [5]. Although it is intriguing 



that their RIBE scheme was constructed from the FIBE scheme of 112811 and made clever use of the binary tree 
technique, the scheme was only proven in the selective-ID model, which is, unfortunately, a rather weak model. 
This is because the adversary is required to set the challenge identity and time at the beginning of a security game 



before receiving the relevant public parameters. Nevertheless, Libert and Vergnaud 112 111 eventually proposed an 
adaptive-ID secure RIBE scheme using similar key revocation techniques as with jsl, and thus solved the problem 
left open by Boldyreva et al. However, instead of building on FIBE, Libert and Vergnaud adopted a variant 1I20I1 
of the Waters IBE scheme |3^, which is based on partitioning techniques and has a drawback in having public 
parameters that comprise 0{X) group elements for security parameter A. Consequently, the Libert and Vergnaud 
RIBE scheme inherits a similar limitation. Clearly, it is desirable that a scheme has small or constant-size public 
parameters, secret keys, and ciphertexts, if it were to be deployed in real world applications. 

B. RIBE from Dual System Encryption 

Moving beyond proving security through the partitioning techniques. Waters proposed the dual system encryption 
methodology Isil, which has been a powerful tool to obtain full security for various classes of functional encryption 
(FE) 1^, such as IBE llllHS, inner product encryption (IPE) 1 18], and attribute-based encryption (ABE) j 18, 
2511 . Although there already exist some schemes that achieve full security using the dual system encryption technique, 
(for example, the HIBE scheme of iflTj has been proven to be fully secure by applying this technique to the 
HIBE scheme of j?!), however, these fully secure schemes typically require relatively large parameters and/or 
constructed only in the composite order bilinear groups. Thus, in general, the dual system encryption methodology 
does not always provide generic transformation from selective security to adaptive security without suffering from 
the mentioned limitations. 

In^our work, we initially tried to apply the dual system encryption technique to the selective-ID RIBE scheme 

of 



5|], however this results an analogous construction and proof to the ABE scheme of 



2511 . Furthermore, as we 



illustrate below, such an approach does not enjoy constant-size public parameters and keys 



2111 in the setting similar to key-policy 



To see this, we specifically consider the binary-tree key update approach 15, 
ABeQ As before, a ciphertext in the RIBE scheme is associated with two attributes: identity idi and time period 
tj. The ciphertext can be decrypted by a user if and only if the user possesses both the private key for identity 
idi and the key update for time tj on some node in the tree. Since the private keys and key updates associated 
with a specific node are not given to the users simultaneously, collusion among some (non-revoked) users on some 

'The case for ciphertext-policy ABE setting is similar. 
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attributes (i.e. time attribute) is possible. Hence from the view of ABE, all users can be regarded as "sharing" the 
same key (or private component) associated with access structure of the form 

(idi V---Vid„)A(ti V---Vt,„) 

on each node in the tree for some integers n and m, but each user is given only some parts of the key for this 
access structure. That is, the parts of the key that the user gets correspond to access structure id^ A (ti V • ■ • Vt„i) if 
this node is in the path from the leaf node associated with idi to the root node; while the key updates corresponding 
to (ti V ■ • • V tra) are given to all users (not necessarily at the same time). Clearly, we require that the private keys 
are collusion-resistant on different nodes. Moreover, supporting a large universe attribute space is required and can 
be used to deal with exponential identity spaces in RIBE. 



We observe that, however, the adaptively secure ABE schemes of 112511 cannot be used directly for our purpose 
because the resulting RIBE somewhat unexpectedly has private keys and ciphertexts with sizes that grow linearly in 
the maximal number of users and the size of time space (even though they are polynomial in the security parameter). 
It turns out that constructing a fully secure RIBE scheme with constant-size public parameters and keys requires 
additional work. 

C. Our Contributions 

In this paper, we investigate how to instantiate the Waters dual system encryption methodology with revocable IBE 
schemes. Particularly, we construct two efficient non-interactive RIBE schemes that are proven to be adaptively 
secure under the Symmetric External Diffie-Hellman (SXDH) and the Decisional Linear (DLIN) assumptions, 
respectively. 

Our schemes improve the previous work by achieving adaptive security with constant-size public parameters. 
Moreover, our schemes are anonymous, namely, preserving the privacy of ciphertext recipients and encryption times. 
We note that previous RIBE schemes do not consider the anonymity property, an advantage inherited from using 
the dual pairing vector spaces (DPVS) HQ to achieve orthogonaUty and entropy-hiding in prime-order groups. 



2111 . namely, we employ binary- tree data 



Our constructions also make use of the key revocation techniques of (Si 
structure to achieve key update with logarithmic complexity in the maximal number of users for the key authority. 

We give a summary of comparisons between existing and our RIBE schemes in Table |l] Here, we use PP to 
denote public parameters, MK to denote master key, SK to denote private key, KU to denote key update, CT to 
denote ciphertext, and # pairing to denote the number of pairing computation for decryption. The sizes are in terms 
of group elements and A denotes the security parameter 
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TABLE I 

Comparisons between existing and our RIBE schemes. 





BGK [51 


LV [21] 


Ours 


size of PP 


5 


0(A) 


19 


55 


size of M K 


1 


1 


19 


55 


size of SK 


2 


3 


6 


9 


size of KU 


2 


3 


6 


9 


size of CT 


4 


5 


6 


9 


# pairings 


4 


3 


12 


18 


security 


selective 


adaptive 


adaptive 


adaptive 


anonymity 


No 


No 


Yes 


Yes 


assumption 


DBDH 


mDBDH 


SXDH 


DLIN 



We compare our schemes against Boldyreva et al.'s scheme (iSJ, which is under the Decision Bilinear Diffie- 
Hellman (DBDH) assumption, and Libert and Vergnaud's scheme 1I21I . which is under the modified DBDH 
(mDBDH) assumption. Overall, our schemes are anonymous, adaptively secure, and have constant-size public 
parameters, at the expense of bigger (but still seems acceptable) sizes in terms of the master key, private key, and 
key update. 

D. Our Approach 

In RIBE, different from the standard security game for IBE, the adversary is allowed to query parts of the 
challenge identities and time periods. Thus, to overcome the problem of increasing sizes of public parameters in the 
maximal number of users and sizes of the time space as analyzed in the ABE setting, our security proof makes use 
of two types of nominally semi-functional pairs, while all the previous works based on the dual system encryption 
methodology, such as IUtI [3 13 Ql. require only a single type of nominally semi-functional pair. Moreover, 
prior to the start of the game, we execute a preliminary game to "locate" the positions of the challenge identities 
and times. We then transform all the private keys and key updates associated with the non-challenge identities and 
times, respectively, into nominally semi-functional (we denote by Type I) one by one. We transform the challenge 
private keys and key updates (or simply keys) into nominally semi-functional (we denote by Type II) node by node 
at the last step. Note that the distribution of nominally semi-functional pairs of Type I for challenge identities and 
times can be detected by the adversary that they are different from the distribution of the semi-functional keys and 
ciphertexts. Moreover, nominally semi-functional pairs of Type II can be only generated for the last remaining keys; 
in other words, all the other keys must have been already semi-functional. This is why the preUminary game is 
needed. We also introduce some statistical indistinguishability arguments in our proof to show that the distributions 
of nominally semi-functional pair of both Types I & II remain the same as the distributions of semi-functional 
keys and ciphertexts from the adversary's view. Finally, we arrive at a security game that only requires to generate 
semi-functional keys and ciphertexts while security can be proved directly. 
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II. Preliminaries 

A. Dual Pairing Vector Spaces 

Our constructions are based on dual pairing vector spaces proposed by Okamoto and Takashima j^-Ql- In this 



paper, we concentrate on the asymmetric version ll26ll . Particularly, we give a brief description on how to generate 
random dual orthonormal bases. See iQ, [3 for a full definition of dual pairing vector spaces. 

Definition 1 (Asymmetric bilinear pairing groups). Asymmetric bilinear pairing groups (g, Gi, G2, Gt, 5i, 32, e) 
are a tuple of a prime q, cyclic (multiplicative) groups Gi,G2 and Gt of order q, gi ^ 1 G Gi, 32 7^ 1 G G2, 
and a polynomial-time computable nondegenerate bilinear pairing e : Gi x G2 — > Gt i-e., £{91,92) = ^(gi, 92)** 
and 6(31,52) ^ 1- 

In addition to individual elements of Gi or G2, we will also consider "vectors" of group elements. For v = 
{vi, . . . , Vn) £ '^q and gp e G/3, we write gj to denote a n-tuple of elements of G^ for /3 = 1, 2: 

9f} ■■= {9p ,---,9p )■ 

For any a G Zg and v, w G we have: 

■— [9fj ^■■■,9p ): 9p ■— \9i3 ,---,9i3 )■ 

Then we define 

n 

e{9^i,97) ■■=l[<9r,9r) = e{9i,92r'^. 

4=1 

Here, the dot product is taken modulo q. 

Dual Pairing Vector Spaces. For a fixed (constant) dimension n, we choose two random bases B := (bi, . . . , b„) 
and B* := (b*, . . . , b*) of subject to the constraint that they are "dual orthonormal", meaning that 

hi ■ h* = (mod q) 

whenever i j, and 

hi ■ h* — i/j (mod q) 

for all i, where ip is a random element of Zq. We denote the above algorithm, which generates the dual orthonormal 
bases, as Dual(-). Then for generators gi G Gi and g2 G G2, we have 

ei9i%92') = 1 

whenever i j, where 1 here denotes the identity element in Gt- 



B. Complexity Assumptions 

To define the SXDH assumption, we first define DDH problems in Gi and G2. 
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Definition 2 (DDHl: Decisional Diffie-Hellman Assumption in Gi). Given a group generator Q, we define the 
following distribution: 

G {q,Gi,G2,GT,gi,g2,e) <-r G, 
a, b, c <— R Zg, 

We assume that for any PPT algorithm A (with output in {0, 1}), 

AdvT'W ■■= \PT[A{D,gf)-PT[A{D,gf+n]\ 
is negligible in the security parameter A. 

The dual of the Decisional Diffie-Hellman assumption in Gi is Decisional Diffie-Hellman assumption in G2 (denoted 
as DDH2), which is identical to Definitions |2] with the roles of Gi and G2 reversed. We say that: 

Definition 3. The Symmetric External Diffie-Hellman assumption holds if DDH problems are intractable in both 
Gi and G2. 

The following SXDH-based Subspace assumptions is from |11], which we will use in our security proof. 

Definition 4 (DSl: Decisional Subspace Assumption in Gi). Given a group generator G{-), define the following 
distribution: 

G := {q, Gi, G2, Gt, 31, ff2, e) ^r 0(1^), 
(B,B*)^R Dual(Zf), 

(7l .— 52 ' ■ • ■ : '-'k •— ff2 ' 

D :^ (G;g2''V..,52^52^'""S---,52", 

<7^,...,5^,f/l,•••,c/K,A*2), 

where K, N are fixed positive integers that satisfy 2K < N. We assume that for any PPT algorithm A (with output 
in {0, 1}), 

Ad^/f^ (A) := | Pt[A{D, Vi, . . . ,Vk) = I] - Pt[A{D, Wi, . . . ,Wk) = l]\ 
is negligible in the security parameter A. 
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Lemma 1. If the DDH assumption in Gi holds, then the Subspace assumption in Gi stated in Definition^also holds. 
More precisely, for any adversary A against the Subspace assumption in Gi, there exist probabilistic algorithms 
B whose running times are essentially the same as that of A, such that 

Adv°si(A)<Advg°^\A). 

The dual of the Subspace assumption in Gi is Subspace assumption in G2 (denoted as DS2), which is identical to 
Definitions |4] with the roles of Gi and G2 reversed. Similarly, the Subspace assumption holds in G2 if the DDH 
assumption in G2 holds. 

We define the DLIN problem in symmetric bilinear pairing groups (namely Gi = G2). The DLIN-based Subspace 
assumptions could be found in lfl6l Izsl . 

Definition 5 (DLIN; Decisional Linear Assumption). Given a group generator Q, we define the following distri- 
bution: 

G := {q,G,GT,9,e) G, 
ai,a2,bi,b2,c Z,, 

We assume that for any PPT algorithm A (with output in {0, 1}), 

Adv^L'^(A) PT[A{D,g''^+''')^PiiA{D,gl'+^'+^)] 
is negligible in the security parameter A. 

III. Revocable IBE 

We first recall the definition of RIBE and its security from jsl and then define an appropriate security model for 
our constructions. 

Definition 6. An Identity-Based Encryption with efficient revocation or simply Revocable IBE (RIBE) scheme has 
seven PPT algorithms Selup, PriKeyGen, KeyUpd, DecKeyGen, Enc, Dec, andKeyRev with associated message 
space A4, identity space I and time space T. We assume that the size of T is polynomial in the security parameter. 
Each algorithm is run by either one of three types of parties — key authority, sender or receiver Key authority 
maintains a revocation list RL and state ST. In what follows, an algorithm is called stateful if it updates RL or 
ST. We treat time as discrete as opposed to continuous. 

• Setup(l^, A'^max) takes as input a security parameter A and a maximal number of users N,nax- It outputs 
public parameters PP, a master key MK, a revocation list RL (initially empty), and a state ST. (This is run 
by the key authority.) 

• PriKeyGen(PP, MK, id, ST) takes as input the public parameters PP, the master key MK, an identity id £ I, 
and the state ST. It outputs a private key SKjd and an updated state ST. (This is stateful and run by the key 
authority.) 



9 



• KeyUpd(PP, MK,t, RL, ST) takes as input the public parameters PP, the master key MK, a key update time 
t £ T, the revocation list RL, and the state ST. It outputs a key update KUt- (This is run by the key authority.) 

• DecKeyGen(SKid, KUt) takes as input a private key SKid and key update KUt- It outputs a decryption key 
DKid,t or a special symbol _L indicating that id was revoked. (This is deterministic and run by the receiver) 

• Enc(PP, id, t, m) takes as input the public parameters PP, an identity id G X, an encryption time t G 7", and 
a message m G M. It outputs a ciphertext CTid,t- (This is run by the sender.) 

• Dec(PP, DKid t, CTid t) takes as input the public parameters PP, a decryption key DKjd t, <^nd a ciphertext 
CTjd^t- It outputs a message m G M. (This is deterministic and run by the receiver ) 

• KeyRev(id, t, RL, ST) takes as input an identity to be revoked id G I, fl revocation time t G 7", the revocation 
list RL, and the state ST. It outputs an updated revocation list RL. (This is stateful and run by the key authority.) 

The consistency condition requires that for all A G N and polynomials (in A) Nmax, all PP and MK output by setup 
algorithm Setup, all m G A^, id G X, t G T and all possible valid states ST and revocation lists RL, if identity id 
was not revoked before or, at time t then the following experiment returns 1 except for a negligible probability: 

(SKid, ST) PriKeyGen(PP,MK,id,ST); 
KUt KeyUpd(PP, MK, t, RL, ST) 
DKid,t DecKeyGen(SKid, KUt); 
CTid,t Enc(PP,id,t,m) 

If Dec(PP, DKid,t, CTid,t) = m then return 1 else return 0. 

Boldyreva et al. formalized and defined the selective-ID security for RIBE. Their definition captures not only the 
standard notion of selective-ID security but also takes into account key revocation. The following definition extends 
the security property expressed in |5] to the adaptive-ID and anonymous setting. 

• Setup: It is run to generate public parameters PP, a master key MK, a revocation list RL (initially empty), 
and a state ST. Then PP is given to A. 

• Query: A may adaptively make a polynomial number of queries of the following oracles (the oracles share 
state): 

- The private key generation oracle PriKeyGen( ) takes as input an identity id and runs PriKeyGen(PP, MK, id, ST) 
to return a private key SKid. 

- The key update generation oracle KeyUpd( ) takes as input time t and runs KeyUpd(PP, MK, t, RL, ST) 
to return a key update KUt. 

- The revocation oracle KeyRev(-, •) takes as input an identity id and time t and runs KeyRev(id, t, RL, ST) 
to update RL. 

• Challenge: A outputs the two challenge pair (id*Q-), t*^^, m^g^), (id^^j, t^^^, m*^^) el x T x M. A random 
bit P is chosen. A is given Enc(PP, id(^), t^^j, m*^^). 
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• Guess: The adversary may continue to make queries of the oracles as in Query phase and outputs a bit /3', 
and succeeds if f3' — /3. 
The following restrictions must always hold: 

1) KeyUpd( ) and KeyRev(-, •) can be queried on time which is greater than or equal to the time of all 
previous queries, i.e., the adversary is allowed to query only in non-decreasing order of time. Also, the 
oracle KeyRev(-, •) cannot be queried at time t if KeyUpd( ) was queried on t. 

2) For (3 — 0,1, if PriKeyGen(-) was queried on identity id(^) then KeyRev(-, ■) must be queried on (id^^j,!) 
for some t < t*^-j, i.e., identity id*^) must be in RL when KeyUpd(-) is queried at time t^^-j. 

For /3 = 0, 1 let Wp be the event that the adversary outputs 1 in Experiment /3 and define 



Definition 7. An RIBE scheme is adaptive-ID secure and anonymous if for all PPT adversaries A the function 
Adv^'^^(A) is negligible. 



In this section, we present our first construction of RIBE and its proof of security under the SXDH assumption. 
A. The Binary-tree Data Structure 



Key revocation in our scheme relies on binary-tree data structure, as with ll3Ll22ll5L 12111 . We denote the binary-tree 
by BT and its root node by root. If is a leaf node then Path(t/) denotes the set of nodes on the path from v to 
root (both V and root inclusive). If 6' is a non-leaf node then 6i, Or denote the left and right child of 9, respectively. 
We assume that all nodes in the tree are uniquely encoded as strings, and the tree is defined by all of its node 
descriptions. 

Each user is assigned to a leaf node v. Upon registration, the key authority provides the user with a set of distinct 
private keys for each node in Path(t/). At time t, the key authority uses an algorithm called KUNodes to determine 
the minimal set Y of nodes in BT such that none of the nodes in RL with corresponding time < t (users revoked on 
or before t) have any ancestor (or, themselves) in the set Y, and all other leaf nodes (corresponding to non-revoked 
users) have exactly one ancestor (or, themselves) in the set. The KU Nodes algorithm takes as input a binary tree 



Remark: The security notion of non-anonymous RIBE is defined as above with restriction that id*Q>) ~ 

^(0) ~ ^(1)' '■^^ other hand, if the adversary A outputs (id^g-, , id*Q-) ) and (id*]^-,, t*-^^) before the Setup phase, it 

is selective-ID security. 



IV. Construction from SXDH 
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BT, a revocation list RL and a time t, and can be formally specified as follows: 

KUNodes(BT,RL,t) 
X,Y^0 
V(t'i,ti) e RL 

if ti < t then add Path(i/j) to X 

V^ex 

if ^ X then add to Y 

if 6»r X then add Or to Y 
If Y = then add root to Y 
Return Y 

The KU Nodes algorithm marks all the ancestors of revoked nodes as revoked and outputs all the non-revoked 
children of revoked nodes. The key authority then publishes a key update for all nodes of Y. A user assigned to leaf 
V is then able to form an effective decryption key for time t if the set Y contains a node in Path(z/). By doing so, 
every update of the revocation list RL only requires the key authority to perform logarithmic work in the maximal 
number of users and linear in the number of revoked users. 

B. Our Scheme 

We now specify our RIBE scheme. We sometimes provide some intuition or remark at the end of an algorithm 
and this is marked by the symbol "//". 

• Setup(A, A^TOoa;) On input a security parameter A, and a maximal number N^ax of users, and generate a 

bilinear pairing G := {q, G\,G2, Gt, 9i,92, e) for sufficiently large prime order q. Next perform the following 

steps: 

1) Let RL be an empty set and BT be a binary-tree with at least Nmax leaf nodes, set ST = BT. 

2) Sample random dual orthonormal bases, (D, W) -(-r Dual(Z^). Let di, . . . , de denote the elements of 
P and dj, . . . , dg denote the elements of P*. It also picks a r Zg and computes := e{gi,g2)"'^^''^' 

3) Output RL, ST, the pubUc parameters 



• PriKeyGen(PP, MK,id, RL,ST) On input the public parameters PP, the master key MK, an identity id, the 
revocation list RL, and the state ST, it picks an unassigned leaf node v from BT and stores id in that node. 
It then performs the following steps: 




and the master key MK 
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1) For any 6 G Path(t;), if ae_i,ae,2 are undefined, then pick ag^i Z,, set ae^2 = a — cte,i, and store 



them in node 



Pick rg^i <— R Zg and compute 



ix ("e.i+''s,iid)dj-re.id2 



2) Output SKid := {{9, Kid,e)}eePath(t,), ST. 
//The algorithm computes the id-component of the decryption key for all the nodes on the path from the leaf 
node (corresponding to id) to root. 

• KeyUpd(PP; MK, t, RL, ST) On input the public parameters PR, the master key MK, a time t, the revocation 
list RL, and the state ST, it performs the following steps: 

1) yO G KUNodes(BT, RL,t), if q^, 1,^9,2 are undefined, then pick r Z^, set 2 — a — ae.i, and 
store them in node 0. Pick re.2 ■^r Zg and compute 

ix (ae,2+'"e,2t)di-re 

2) Output KUt := {(fi*, Kt.0)}eeKUNodes(BT,RL,t)- 

//The algorithm first finds a minimal set of nodes which contains an ancestor (or, the node itself) of all the 
non-revoked nodes. Then it computes the t-component of the decryption key for all the nodes in that set. 

• DecKeyGen(SKid, KUt) On input a private secret key SKid ■— {(i, Kid,i)}ieh KUt '■— {(j, ^t,j)}je^ for some 
set of nodes I, J, it runs the following steps: 

1) V(i, Kid,») G SKid, (j, Ktj) G KUt, if s.t. i = j then DKid,t ^ (Kid,», Ktj); else (if SKid and KUt 
do not have any node in common) DKid,t <— -L. 

2) Output DKid.t- 

• Enc(PP, id, t, m) On input the pubUc parameters PP, an identity id, a time t G Z^, and a message m, pick 
z -i— R and forms the ciphertext as 

rT /r VT-, ir,'^\^ r 2(di+idd2+td3)\ 

<- I id,t I (_ .— m ■ {grp) , (_o ._ j. . 

• Dec(PP, DKid,t, CTid,t) On input the public parameters PP, a decryption key DKid,t := (Kid.e, Kt.e), and a 
ciphertext CTid.t := (C, Cq), it computes the message as 

m C/ (e(Co, Kid.e) • e(Co, Kt.e)) . 

• KeyRev(id, t, RL, ST) On input an identity id, a time t, the revocation list RL, and the state ST, the algorithm 
adds (id, t) to RL for all nodes v associated with identity id and returns RL. 

This ends the description of our scheme. 



^To avoid having to store cig -i,ag 2 for E^cli node, tlie autlioiity can derive them from a pseudo-random function of using a shorter seed 
and re-compute them when necessary. 
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Correctness: Observe that 

e(Co, Kid,e) 

_ / z(di+idd2+td3) {ag_i+rgiid)d 

= e{9l,g2T''-'"'^'"^' .g(g^^^2)zr,,iiddi.dt-zr,,iidd2.dj 

Similarly, e(Co, Kt.e) — e{gi, §2)°''''^^'^^''^^ ■ The message is recovered as: 

C/e(Co, Kid,e) • e(Co, Kt,^) 

= m.(e(5i,52)"''^-'*^)Ve(5i,52r''^-''* 
= m. 

C. Proof of Security 



Statistical Indistinguishability Lemmas: We require the following two lemmas, which are derived from 12611 . for 
our security proofs. 

Lemma 2. For p G Zq, let 

Cp := {(x,v)|x-v=p,0 7^x,0 7^veZ^}. 
For all (x, v) G Cp, for all (z, w) G Cp, and A <— r Z^^" (A is invertible with overwhelming probability), 

Pr[xA^ = z A vA"^ = w] = ^ 



#Cp 

Lemma 3. For pi,p2 G Z^, let 

Cpi,p2 := |(x,Vl,V2) X ^ 0,X • Vl = pi,X ■ V2 = P2 } 

where x, vi, V2 G Z^, {vi, V2} are linearly independent over Zg. For all (x, vi, V2) G Cp^^p^, for all (z, wi, W2) G 
Cpi,P2> '^^d A <— R Z^*^^" fA is invertible with overwhelming probability), 

Pr[xA^ = z A viA^-^ = w^i A V2A^-^ = W2] 



The following theorem shows that our RIBE scheme is indeed adaptively secure and anonymous. 

Theorem 1. The RIBE scheme is adaptively secure and anonymous under the SXDH assumption. More precisely, 
for any adversary A against the RIBE scheme, there exist probabilistic algorithms 

-Bo, 

{^Kl,fC2 }ki = 1,...,(J„j ,K2 = l....,riog Nmax \ ' 
{^Ki,K2 }Ki=g„j +I,...,l3„j +g„2+l,K;2 = l,---,-'Vmox J 

{^9>.i+9"2+l'«2}fi2 = l,...,47V„„x 
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whose running times are essentially the same as that of A, such that 

Adv^'^^(A) < (g„w«2)^ • ( Advg^Hi ^ ^ ^ Advg^H2^ (A) + ^ ^ Advg°H2^ (a) 

^ — 1 K2 — 1 ^2 — 1 

, "^V^"" AJ DDH2 ix\ , (^{(Inil^Og Njnax] +qn2N„iax) +S'2Njnax + Q 

+ y AdVg (A) H 

K2 = l ^ 

where qni,qn2 ^ 4 are f/ze maximum number of A's private key and key update queries respectively. 



Proof: We adopt the dual system encryption methodology by Waters 113 111 to prove the security of our RIBE 
scheme. We use the concepts of semi- functional ciphertexts and semi-functional keys in our proof and provide 
algorithms that generate them. Particularly, we define two types of semi-functional keys: semi-functional private 
keys (for identity) and semi-functional key updates (for time). We note that the algorithms (we specify below) are 
only provided for definitional purposes, and are not part of the RIBE system. In particular, they do not need to be 
efficiently computable from the public parameters and the master key. 

PriKeyGenSF The algorithm picks r^i, veA,ii ^9,5,1^ vefi,i randomly from Zg and forms a semi-functional private 
key for node 6 as 

Lc(SF) _ (ae.i+r(,.iid)d*-re.id'* + ["^£).4,id4+i'e,5.id5+7£).6,id*] 

KeyUpdSF The algorithm picks re,2, 1^6,4,2, i^e,5,2, fe,6,2 randomly from and forms a semi-functional updated 
key for node 6 as 

j^(SF) (a£),2+''e,2t)di-re,2d3 + [i/e,4,2d4+i^(),5,2d5 + i/e,6,2de] ,2-\ 

EncryptSF The algorithm picks 2;,X4,X5iX6 randomly from Zg and forms a semi-functional ciphertext as 

TT^^'^) . /r . ("^"^z r . „^(dl+idd2+td3) + (x4d4+X5d5+X6d6) \ /ts 

'-'id.t I*- m ■ (,3tJ ■= 91 j- a) 

We call a private key or key update semi-functional if all its parts are semi-functional, which are denoted as 

SK[|'^^ := {(6*, K||g^)}egp3th(i,) 

KUNodes(BT,RL,t)- 

We observe that a normal ciphertext CTid,t can be decrypted by a semi-functional key pair (K[^g\ k[^'^'') on 
some node 0, because dg, dg are orthogonal to all of the vectors in exponent of Cq, and hence have no effect on 
decryption. Similarly, decryption of a semi-functional ciphertext CTj^ ^ by a normal key pair (Kid,e, Kt,e) on some 
node 8 will also succeed because d4, dg, dg are orthogonal to all of the vectors in the exponent of the key. When 
both the ciphertext and key pair on some node are semi-functional, the result of e(CQ^'^\ K|^g') • e(Co^'^'', K^^J-*) 
will have an additional term, namely 
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Decryption will then fail unless Y^^=4,{'^6,i,i + i'e,i,2)XiV' = f^o6 q. If this modular equation holds, we say 
that the private key, key update and ciphertext pair is nominally semi-functional. In our security proof, there are 
two types of nominally semi-functional pairs: 
Nominally semi-functional pair of Type I 

ix(SF) _ (a9,i+re,iid)d]'— r9,id2 + [i'9,4,iidd4— i/9,4,id5] 
ly-(SF) ^(ae,2+fe,2t)di-re_2d3 + [i'e,4,2td4-i/() 4.2dg] 

rT(SF) ._ fr ._ rr. (r,Oi\Z C — „2(dl +idd2 +td3) + [X4 (d4+idd6 +td6)] \ 

*- ' id,t •- 1^ •- m • {Qj.) , Lo .- 51 I , 

where r^.i, i^e,4,i, r-e,2, J^e,4,2, 2, X4 -^r Zq- 
Nominally semi-functional pair of Type n 

ix(SF) _ (a(),i+r(,_iid)dJ-r8_idJ + [(ao+iy().4.lid)d4-i/(,_4_id*] 
^id,e ■— 92 y 

ly-(SF) _ (ao,2+i-e,2t)di-re,2d3 + [(-ae+i'e,4,2t)d4-i/e,4,2d5] 

CTg^) := {C := m • {g^Y, Co := g-(di+idd2+td3)+[x4(d4+idd5+tda)] | ^ 

where ae, i^e,4,i^ ^9,2, ^^0,4,2, 2, X4 '^q- 

Note that nominally semi-functional pair of Type I is used to transform the non-challenge private key and key 
update queries into semi-functional ones while Type 11 is for the challenge private key and key update queries. 

Assume that a probabilistic polynomial-time adversary A makes at most (j„^ private key queries idi, . . . , idg„^ and 
(7„2 key update queries ti, . . . , t^^^ . Since there are many types of adversaries according to whether the challenges 
id(Q-), id*!) t*Q^, t^-^j being queried and the restriction of queries, in order to simplify and unify reduction, we 
add four dumb queries idg^^+i, idq^^+2, t^^^+i, (the keys for these queries will not be given to A), which 

makes the challenge identities id^Q-,, id^i-j and times t*gj,t*j^^ be included in the + 2 private key queries and 
the the g„2 + 2 key update queries. For any adversary, we use values (pi, (p2 (0 < (fi < f2 < <lni + 2) to indicate 
the positions of id^Q-,, id^i-j being queried, namely either the (^i-th or 952-th query is id^Q-j and the other is id^j). 
Similarly, we use values 953,(^4 (0 < (^3 < (^4 < (7„2 + 2) to indicate the positions of t^(,j,t^j^^ being queried. 

Our proof of security consists of the following sequence of games between the adversary A and challengers. 

• Gamejveaf: is the real security game. 

• G-ameneaV'- is a preliminary game, which is the same as Gamei^eaf except that the challenger picks i/ii, 02 
[qm + 2] (0 < 01 < 02 < g«i + 2) and 03, 04 4-r [g„2 -h 2] (0 < 03 < 04 < g„2 + 2) before setup, and the 
game is aborted if 0^ ^ (pi for any i <E [4]. 

//Guess the positions of the challenge identities id(Q),id^i) and times t^Q^,t^^^. If the guess is incorrect then 
the game aborts. Re-write 

Ti := {id'i,...,idg^J = {idi, . . . , idg„^+2}\{id^i, id^2} 

r2 := {t'l, . . ■,'kq„^} = {tl, . . ■ ,'kqn2+2}\{k,p3,'k<pi}- 
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• Gameo: is the same as Gamejieai' except that the challenge ciphertext is semi-functional. 

• Gamerei,K2- for i^i from 1 to Qm, for K2 from to [log Ar^ax]. Game^i.^a is the same as Gameo except that 
the first ki — 1 private keys and the first K2 components of the Ki-th private key for Fi are semi-functional 
and the remaining keys are normal. 

//Transform all private keys into semi-functional ones (one by one and node by node) except the ^i-th and 
02-th private queries. Namely, the private keys for the challenge identities id*Q),id*i) (if queried) are still 
normal. Note that the number of nodes associated with a private key is \log N^ax] - Moreover Gamei^o and 
Gameo, Game„j_|-iogjv^^^-| and Game„i+i^o are identical. 
. GameKi,^^: for ki from q„^ + lto qn^, for K2 from to N^ax, Game^i^K^ is the same as Gameg„^_|-iogjv^^^-| 
(namely all private keys for Fi are semi-functional) except that the first ki — — 1 key updates and the first 
K2 components of the (ki — g^J-th key update for F2 are semi-functional and the remaining key updates are 
normal. 

//Transform all key updates into semi-functional ones (one by one and node by node) except the (^^s-th and 04-th 
key update queries. Namely, the key updates for the challenge times t*^^ , t*^^ (if queried) are still normal. Note 
that a key update for a time updates at most Nj^ax nodes. Moreover, Game^^^ jiog;v„<,xl Gameq„^+i^o> 
GameKi,jv„^^ and Game^i+i^o are identical. 
. Gameg„^+g„^+i,K2: for K2 from to 4:Nmax, Gameg^^+g^^+i,^^ is the same as Gameg„^+g„^,jv„<,,, (namely 
all private keys for Fi and key updates for F2 are semi-functional) except that the 0i , 02-th private keys, the 
03, 04-th key updates for the first K2 nodes are semi-functional and the remaining keys are normal. 
//Transform the (pi, (p2-th private key and the ips, <^4-th key update queries into semi-functional ones (node by 
node). Note that there are at most 2r'°s^'"<»xl (< ANmax) nodes in the binary tree. Moreover, Gameg^^+g^^^jv^^^ 
and Gameg^^+g„^+i,o are identical, namely all keys are semi-functional in Gameg^^+g„^+i,4jv^^^. 

• GameFTOa;: is the same as Gameg„^+g„^+i,4jv^^^, except that the challenge ciphertext is a semi-functional 
encryption of a random message in Gt and under a random identity in Zg a random time in Zg. We denote 
the challenge ciphertext in GameFinoi as Ct[^^'|^^ ^.^^j. 

We prove the following lemmas to show the above games are indistinguishable. The advantage gap between 
Gamefleoi and Gameo is bounded by the advantage of the Subspace assumption in Gi. Additionally, we require 
a statistical indistinguishability argument to show that the distribution of the challenge ciphertext remains the 
same from the adversary's view. Similarly, the advantage gap between any two consecutive games of Gamei^i 
to Gameg„^+g„^+i,4jv„<,^ is bounded by the advantage of Subspace assumption in G2. Finally, we statistically 
transform Gameg„^+q„^+i,4jv^^^ to Gameiri„a; in one step, i.e., we show the joint distributions of parameters in 
these two games are equivalent from the adversary's view. 

We let Adv^^""^^*"' denote an adversary A's advantage in the real game. 

Lemma 4, For any adversary A Adv^""^^"-"' (A) < {q^qn^f ■ Adv^"""^""'' (A). 

Proof: Since 0i, 02, 03, 04 are uniformly and independently generated, which are hidden from the adversary 
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^'s view. The game is non-aborted with probabihty 

4 



{qm + 2)(g„i + + 2)(g„, + 1) ' 

Thus, 

^j^GameReal (^^j _ + + l)(gn2 + ^){qn2 + 1) ^ Adv^^""*"'"'' (A) 

<(gni(Znj'-Adv^="^^«-'(A). 

■ 

Lemma 5. Suppose that there exists an adversary A where jAdv^^'"^"'"''' (A) — Adv^^'^^°(A)| = e. Then there exists 
an algorithm Bo such that Advg^^ (A) = e + |, with K = 3 and N = 6. 

Proof: Bq is given 

D := (G; g^'' , , g^'' ,g^\ . . . ,g^<> ,Uu U2, Us, ^2). 
along with Ti,T2,Ts. We require that Bq decides whether Ti,T2,T3 are distributed as gl'^\ gl'^'' , gl'^^ or 

Tlbl+T2b4 Tlb2+T2b5 Tlb3+T2b6 

Bo simulates GameReai' or Gameo with A, depending on the distribution of Ti,T2,T3. To compute the public 
parameters and master key, Bq chooses a random invertible matrix A e Z^^^ (A is invertible with overwhelming 
probability if it is uniformly picked) and impUcitly sets dual orthonormal bases P, D* to: 

di:=bi, d2:=b2, ds := ba, (d4, ds, de) := (b4, bs, b6)A, 
di:=bt, d;:=b2, dg := bg, (d4, dg, dg) := (b4, bg, be)(A-^f . 

We note that P, D* are properly distributed, and reveal no information about A. Moreover, Bo cannot generate 
52 * ' 92^ ' 52 " ' ''ut these will not be needed for creating normal private keys and key updates. Bo chooses random 
value a e and computes g^ := e{gi,g2)"'^^''^'. It then gives A the pubUc parameters 

PP:={G;gi^,gt\gt^gf^}. 

The master key 

MK := {a,g2\gt\gt''} 

is known to Bo, which allows Bq to respond to all of ^'s queries by calling the normal private keys, key updates, 
and key revocation algorithms. 

A sends Bq two pairs (id(o) , t^Q^ , hi^q^ and (id(i) , t^^-j , ni^^j ). Bo chooses a random bit 13 e {0, 1} and encrypts 
m^^^ under (id(^) , t^^^ ) as follows: 

where Bq has implicitly set 2 := n. It gives the ciphertext (C, Co) to A. 
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Now, if ri,T2,r3 ai-e equal to gl'^\ gl'^\ gl'^\ then this is a properly distributed normal encryption of m 



In this case, Bq has properly simulated Game^ea;'- If Ti,T2,T3 are equal to C,pbi+^2b4^^rib2+r2b5^^rib3+r2be 
instead, then the ciphertext element Cq has an additional term of 

T2h4 + id(^)r2b5 + t(^)r2b6 

in its exponent. The coefficients here in the basis b4,b5,b6 form the vector (t2, id*^-)r2, t*^^r2). To compute 
the coefficients in the basis d4,d5,d6, we multiply the matrix A^^ by the transpose of this vector, obtaining 
T2A^^(1, id*^-), t*^^)^. Since A is random (everything else given to A has been distributed independently of A), 
these coefficients are uniformly random except with probability 2/q (namely, the cases T2 defined in Subspace 
problem is zero, {xiiXSiXe) defined in Equation [3] is the zero vector ) from Lemma |2l Therefore, in this case. 
Bo has properly simulated Gameo. This allows Bq to leverage A's advantage e between Gamej^eai' and Gameo to 
achieve an advantage e + | against the Subspace assumption in Gi, namely Adv^^^ (A) = e + |. ■ 

Lemma 6. For ki from 1 to for K2 from to \\og Nrnax^, suppose that there exists an adversary A where 
Adv^^'^^"^ '"^"^ (A) — Adv^^'"^''^ '*^ (A)| — e. Then there exists an algorithm Bt^^^^,^ such that Adv^^^ ^^{X} = £ + |> 
with K — 3 and N — 6. 

Proof: Bk.i,k2 is given 

:= (G ; 5^ , ff^ , 5^ , 52 52 ^ C^i , C^2 , f/3 , ) 
along with Ti^T2,T^. We require that ;B„j^k2 decides whether Ti,T2,Tt, are distributed as 52 '^S 32 j 52 ''^ or 

TibJ'+r2b4 Tih2+T2ht Tib3+r2bg 
52 >52 :52 

Bk.-^^k2 simulates GameK^ „2 or GameK^ ^2-1 with A, depending on the distribution of Ti,T2, T3. To compute the 
public parameters and master key, Bk.i.k2 chooses a random matrix A G Zj^^'^ (with all but negligible probability, 
A is invertible). We then implicitly set dual orthonormal bases D, D* to: 

di:=bi, d2:=b2, da ba, (d4, ds, de) := (b4, bs, b6)A, 
dl:=hl, d*:=b*, d*:=b*, (d^, d^, d*) (K, b*, b*)(A-ir. 

We note that are properly distributed, and reveal no information about A. i3Ki,K2 chooses random value 

a G Zg and compute 5^ := e{gi, §2)"'^^ ''^^ ■ B can gives A the public parameters 



The master key 



PP :={(G;5?,5fS5^,5fn- 



MK:^{a,gf,gf,gf} 



is known to Bk,i,k27 which allows Bki.k2 to respond to all of ^'s private key and key update queries by calling the 
normal key generation algorithm. Since B^^^n^ also knows g'^'^, g2'\ and gj'', it can easily produce semi-functional 
keys. To answer the key queries that A makes, Bki.k2 runs the semi-functional private key and key update generation 
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algorithm to produce semi-functional keys and gives these to A. To answer the K2-th component of the Ki-th private 
key for id'^^, B^-^.k.^ responds with: 

This implicitly sets i := ti. If Ti, T2, T3 are equal to (72 , 32 ''^ , 52 then this is a properly distributed normal 
private key. Otherwise, if Ti,T2,Tj, are equal to g2^^'^^'^'^^'^ ^g^^^'^^'^'^^'^ ^g^^^^^'^'^^'^ , then this is a semi-functional 
key, whose exponent vector includes 

id',^T2hl-T2hl (4) 

as its component in the span of bg, bg. To respond to the remaining key queries, Bk,i,k2 simply runs the normal 
key generation algorithm. 

At some point, A sends 8^,1.^2 two pairs (id*o), t*Q.j, m^^,^) and (id*!-,, t*^^, m^^^. Bo chooses a random bit 
/? G {0, 1} and encrypts m*^^ under (id*^),t^^j) as follows: 

C := m^^) . (e(f/i,52^))" = ^(p) ' Q := C/i(f/2)''<« (f/a)*'^' , 

where Bk,i,k2 has implicitly set z := fii. The "semi-functional part" of the exponent vector here is: 

/i2b4 + id(^)^2b5 + t(^)^2b6. (5) 

We observe that if idj^-j — id^^ (which is impossible), then vectors |4] and |5] would be orthogonal, resulting in a 
nominally semi-functional ciphertext and key pair (Bki,k2 can also use Ti,T2,T^ to generate private key part for 
^(/3)) °f Type I. It gives the ciphertext (C, Cq) to A. 

We now argue that since id^^^ 7^ id'^j, in A's, view the vectors |4] and |5] are distributed as random vectors in the 
spans of dijdgjdg and d4,d5,d6 respectively. To see this, we take the coefficients of vectors |4] and |5] in terms of 
the bases b4, bg, bg and b4, bg, bg respectively and translate them into coefficients in terms of the bases d4, dg, dg 
and d4, dg, dg. Using the change of basis matrix A, we obtain the new coefficients (in vector form) as: 

r2A-(id;^ , -1, 0)-, M2A-i(l, id^^), t^^))\ 

Since the distribution of everything given to A except for the K2-th component of the Ki-th private key Kj^' .e and 
the challenge ciphertext (C,Co) is independent of the random matrix A and id(^) ^ id'^^, we can conclude that 
these coefficients are uniformly except with probability A/q (namely, the cases ^2 or T2 defined in Subspace problem 
is zero, (x4, Xs? Xe) or {vgA,ii 1^9,5,1, '^e.e,!) defined in Equations |3] and [T] is the zero vector) from Lemma|2] Thus, 
Bk-^,k2 has properly simulated GameKi,K2 in this case. 

If Ti,T2,T3 are equal to 52 32 ''^ , 52 then the coefficients of the vector |5] are uniformly except with 
probability 2/q (namely, the cases /i2 defined in Subspace problem is zero, (X4,X5 7X6) defined in Equations |3] is 
the zero vector) from Lemma|2] Thus, Bki,k2 has properly simulated GameRj ,^2-1 in this case. 

In summary, Bki,k2 has properly simulated either Game^LKg-i or GameKi,K2 for A, depending on the distribution 
of Ti, T2, T3. It can therefore leverage ^'s advantage e between these games to obtain an advantage e + | against 
the Subspace assumption in G2, namely Advg^^(A) = e + -. ■ 



20 



Lemma 7. For ki from +lto + qn^, for K2 from to N^ax, suppose that there exists an adversary A where 
|^^^Game.,,.,_i^^^ _^j^Game.i,„, ^^^| ^ ^ ^^^^^ ^^.^^^ algorithm B«i,«, such that Advg^^ (A) = e+ 1 

with ii" = 3 and N = 6. 
Proofr is given 

D := (G; 5^ , 5?' , 52 V • • , 52 ^ , f^i, t^2, f/s, /X2) 

along with Ti,T2,T3. We require that Ski,k2 decides whether Ti,T2,T3 are distributed as 92^^^ , 92^^'^ 92^^^ or 

TibJ+T2b4 Tib2+T2b5 rib3+r2be 
52 152 5 52 

;Bki,k2 simulates GameKi,K2 or GameKi,K2-i with A, depending on the distribution of Ti, T2, T3. To compute the 
public parameters and master key, Bt^^^^^ chooses a random matrix A e Z^^^ (with all but negligible probability, 
A is invertible). We then implicitly set dual orthonormal bases P, D* to: 

di:=bi, d2 := b2, ds := bs, (d4, ds, de) := (b4, bs, b6)A, 
i:=bi, d2:=b2, d3 := bs, (d4, dg, dg) := (b4, bg, bgjlA ). 

We note that P, D* are properly distributed, and reveal no information about A. Bki,k2 chooses random value 
a G Zg and compute := €{91,92)°"^^''^'^. B can gives A the public parameters 

PP := {G; 9^, 9f\9f\9f'}- 

The master key 

MK := {a, 52 '.52 '.52'} 

is known to B^^^k.^^ which allows ^^1,^2 to respond to all of ^'s private key and key update queries by calUng the 
normal key generation algorithm. Since Ski,k2 also knows 92'^, 92^, and 92^, it can easily produce semi-functional 
keys. To answer the key queries that *A makes, ^k,i,k,2 

runs the semi-functional private key and key update generation 
algorithm to produce semi-functional keys and gives these to A. To answer the K2-th component of the Ki-th private 
key for id'^^, ^^1,^2 responds with: 

This implicitly sets re,i := n . If Ti , T2, T3 are equal to 52'''^ , 52'''^ , 92^^^ > then this is a properly distributed normal 
private key. Otherwise, if T\,T2,T^ are equal to 52'''^^^^''*, 52' '^^^^^'^^,52'''^^^^'''', then this is a semi-functional 
key, whose exponent vector includes 

id^iT2b4 - r2b5 (6) 

as its component in the span of b4, bg, bg. To respond to the remaining key queries, Bk;i,k2 simply runs the normal 
key generation algorithm. 
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At some point, A sends ,6^1. k2 two pairs (id*o), t^p^, m^p^) and (idj^), t^-^-j, m^j^^. Bq chooses a random bit 
/3 e {0, 1} and encrypts m*^^ under (id*^-) , t*^^ ) as follows: 

C := m^^) • (e(t/i,52^))" - W/J) " Q [/i(;72)"^(^) (f/g)*'^) , 

where Ski,k2 has implicitly set z := /ii. The "semi-functional part" of the exponent vector here is: 

H2^4 + id(^)^2b5 + t(^)pi2b6- (7) 

We observe that if idj^^ = id^^ (which is impossible), then vectors |6] and [T] would be orthogonal, resulting in a 
nominally semi-functional ciphertext and key pair (£?ki.k2 can also use Ti,T2,T3 to generate private key part for 
t^^P of Type I. It gives the ciphertext (C, Cq) to A. 

We now argue that since id^^^ ^ id'si, ^'^ -^'^ view the vectors |6] and [T] are distributed as random vectors in the 
spans of dijdgjdg and d4,d5,d6 respectively. To see this, we take the coefficients of vectors |6] and |7] in terms of 
the bases bg, bg and b4, bg, bg respectively and translate them into coefficients in terms of the bases d4, dg, dg 
and d4,d5,dg. Using the change of basis matrix A, we obtain the new coefficients (in vector form) as: 

r2A-(id',^,-l,0)\ M2A-i(l,id^^),t^^))-. 

Since the distribution of everything given to A except for the K2-th component of the Ki-th private key Kj^'^ .0 and 
the challenge ciphertext (C,Co) is independent of the random matrix A and id^^^ ^ id^i, we can conclude that 
these coefficients are uniformly except with probability 4/g (namely, the cases /i2 or T2 defined in Subspace problem 
is zero, (x4, XS; Xe) or {1^9,4,1, 1^9,5,1, 1^9,6,1) defined in Equations |3] and [T] is the zero vector) from Lemma|2] Thus, 
Bki.k2 has properly simulated Game^-^^^^ this case. 

If Ti,T2,T3 are equal to .92 32 ''^ , .92 then the coefficients of the vector |7] are uniformly except with 
probability 2/q (namely, the cases /i2 defined in Subspace problem is zero, (x4iX5jX6) defined in Equations |3] is 
the zero vector) from Lemma|2] Thus, Bki,k2 has properly simulated GameKi,K2-i in this case. 

In summary, Bk,i,k2 has properly simulated either GameKi.K2-i or GameKi,K2 for A, depending on the distribution 
of Ti, r2, T3. It can therefore leverage ^'s advantage e between these games to obtain an advantage e + | against 
the Subspace assumption in G2, namely Advg^^(A) = e + |. 

is given 

along with Ti,T2,T3. We require that Ski,k2 decides whether Ti,T2,T3 are distributed as 52^*^^ > ff?*^^ j 52^*^^ or 

Tib?+r2b4 rib2+T2bJ Tib3+T2bg 
92 ,.92 ,52 

£?Ki,K2 simulates Gamere^^K^ or GameK^.K^-i with A, depending on the distribution of Ti,T2, T3. To compute the 
public parameters and master key, Bk-^.k2 chooses a random matrix A £ Z^^^ (with all but negligible probability. 
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A is invertible). We then implicitly set dual orthonormal bases D, D* to: 

di:=bi, d2:=b2, da := ba, (d4, ds, dg) := (b4, bs, b6)A, 

dl:=hl, d*,:=hl d*:=hl (dj, d^, d^) (b^, b^, b^)(A-ir. 

We note that ID,©* are properly distributed, and reveal no information about A. ;Bki,k2 chooses random value 
a G Z(j and compute :— e{gi, §2)°"^^ '^^ ■ B can give A the public parameters 

The master key 

is known to Bk^^k2^ which allows 3^^,^,^ to respond to all of ^'s private key and key update queries by calling the 
normal key generation algorithm. Since /Bki.k2 ^Iso knows g^"^, g^^, and 52"' it can easily produce semi-functional 
keys. To answer the key queries that A makes, ;Bki.k2 runs the semi-functional private key and key update generation 
algorithm to produce semi-functional keys and gives these to A. To answer the K2-th component of the (ki — g„ J-th 
key update for t'^j^_^^ , Bk,i,k2 responds with: 

This implicitly sets 2 := ti. IfTi,T2,T3 are equal to 172^ 32 ''^ 7 52 "^^^ then this is a properly distributed normal 
key update. Otherwise, if Ti,T2,T^ are equal to .92 , 52 '^^^^^'^^ , 52 then this is a semi-functional 

key update, whose exponent vector includes 

t:.,_,„^r2b:-T2b; (8) 

as its component in the span of b4, bg, bg. To respond to the remaining key queries, B^^^^^ simply runs the normal 
key generation algorithm. 

At some point, A sends B^.^^^^ two pairs (id*Q-j, t^^^ , m*^^) and (id^j^-) , t*-^^, m^j^j). Bq chooses a random bit 
(3 € {0,1} and encrypts m(^) under (id*^), t^^^) as follows: 

C := m^^) • (e{U,,gf)f = m^^^ • Q := [/i(t/2)''^(^) (f/s)*'^' , 

where Bki,k2 has implicitly set z := jii. The "semi-functional part" of the exponent vector here is: 

il2^i + id(^)^2b5 + t(^)^2b6. (9) 

We observe that if t^^^ = t'^^_^^^ (which is impossible), then vectors |8] and |9] would be orthogonal, resulting in a 
nominally semi-functional ciphertext and key pair (Bk^,k,2 can also use Ti,T2,T3 to generate private key part for 
id(^-)) of Type I. It gives the ciphertext (C, Cq) to A. 

We now argue that since t^^^ 7^ ^Ki-q^^^ -^'s view the vectors [8] and |9] are distributed as random vectors 
in the spans of d|,d|,dg and d4,d5,d6 respectively. To see this, we take the coefficients of vectors |8] and |9] in 
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terms of the bases b4,b5,bg and b4,b5,b6 respectively and translate them into coefficients in terms of the bases 
dg, dg and d4, ds, dg. Using the change of basis matrix A, we obtain the new coefficients (in vector form) as: 

T2A^«^_^„^,-i,or,M2A-i(i,id^^),t^^)r. 

Since the distribution of everything given to A except for the K2-th component of the {ki — (7„J-th key update 
Kt' ,0 and the challenge ciphertext (C, Cq) is independent of the random matrix A and t*^^ 7^ ^Ki-g^ ' 
can conclude that these coefficients are uniformly except with probability A/q (namely, the cases /i2 or T2 defined 
in Subspace problem is zero, (xiiXSiXe) or {i^e,4,2, 1^9,5,2, 1^6.6,2) defined in Equations [3] and |2] is the zero vector) 
from Lemma ID Thus, Bk-^,k2 has properly simulated GameKi.K2 in this case. 

If Ti,r2,T'3 are equal to .92^'^^ ffl ''^ 7 52 '^^^ then the coefficients of the vector |9] are uniformly except with 
probability 2/q (namely, the cases 112 defined in Subspace problem is zero, (xiiXSiXe) defined in Equations |3] is 
the zero vector) from Lemma|2] Thus, Bki,k2 has properly simulated Game„j_K2_i in this case. 

In summary, Ski,k2 has properly simulated either GameKi.K2-i or GameKi,K2 for A, depending on the distribution 
of Ti, T2, T3. It can therefore leverage ^'s advantage e between these games to obtain an advantage e + | against 
the Subspace assumption in G2, namely Advg^^(A) = e + |. ■ 

Lemma 8. For K2fmm to ANmax, suppose that there exists an adversary A where |Adv_4 <!n 1+9112+1. '■2 i^^-j _ 
Adv_^ ■jni+<!n2+i.'>2 _ Then there exists an algorithm Bq^^+q^^^+i^K2 ^uch that Adv^^^ (A) = e + |, 

with K — 3 and N — 6. 

Proof: Sq„j+q„,+i,K2 is given 

: = (G ; 5^ , ^ , 5^ , 52 * 7 • • • 7 52 ^ C^i > C^2 , f/3 , 2 ) 
along withri,r2,r3. We require that -i-g^^ -1-1. K2 decides whether Ti , 72 J 73 are distributed as (72^ ^,92 ^^92 ^ 

nr „^it'^+^2b4 rib*+T2b* nb'+rab* 
Oi 52 '52 ' 92 

■^g,ii+?,i,+i.K2 simulates Game^^^-i-g^^+i or Gameq^^+g,^.^+i,K2-i with A, depending on the distribution of 
Ti,T2,T3. To compute the public parameters and master key, Bq^_^+q^^+i^^r, chooses a random matrix A G Z^^'^ 
(with all but negligible probability, A is invertible). We then implicitly set dual orthonormal bases D, D* to: 

di:=bi, d2:=b2, da := ba, (d4, ds, dg) := (b4, bs, b6)A, 
dl:=hl, d;:=b*, d^=b*, (d:,d;,d*):=(b:,b;,b*)(A-ir. 

We note that are properly distributed, and reveal no information about A. ^Bg^^^+g^^+i sj chooses random 

value a £ Zq and compute 9^ := e{9i, 92)°"^^ '^^ ■ B can gives A the public parameters 

PP :={(G;5?,5fS5^,5fn- 

The master key 

MK:={a,gf\gf,gf} 
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is known to Sg^^+g^^+i^rea. which allows Bg„^+g„^+i,„2 to respond to all of ^'s private key and key update queries 
by calUng the normal key generation algorithm. Since 'Bg„^+q^^+i,K2 ^^o knows ^2*' 52^' 52 it can easily 
produce semi-functional keys. To answer the key queries that A makes, Bq^^+q^^+i^K2 the semi-functional 
private key and key update generation algorithm to produce semi-functional keys and gives these to A. 

However, Bg^^+g^^+i^^^ changes the strategy to respond all the components for the K2-th node in the binary 
tree of private keys and key updates. AH key queries for Fi and r2 are similar with the following process except 
that 'Bg„^+g„2+i,K2 "scs 02^, . . . ,g2'^ to re-randomize the exponents. To answer the component for the challenge 
identities id*Q) , id*i^ and times t*Q^ , t*^^ (namely, the <pi , 02-th private key and 03 , 04-th key update queries) on the 
K2-th node, Bg^^+g^^+i^^^ picks a'g i,C(0 ^ G and responds with: 

Kid-,,,. := 52^'^''Mrf^)<^T[^'^^''^'(T2)-<S 
K,.^,,, := 5^ -"^•^^(T,''^)-«^'.T;^-*<^>(T2)-'-^',^ 

where Bg^^+g^^^+i.^a implicitly sets ag_i a'g i + a'g and a.g_2 '■= a — a'g i —ctg i^i (note that Q;6i,i + a0,2 = a). 
Note that from the restriction of queries for the challenge identities and times, only part of the keys are given to 
A. 

If Ti,T2,T3 are equal to (/2 '^S 52 '^^ 7 52 then these are properly distributed normal keys. If Ti,T2,T3 are 
equal to 92^^^'^'^^^'^ , g^^^^'^'^^^'^ , g^^^^'^'^^^'^ , then these are semi-functional keys, whose exponent vector includes 



{a'liT2 + id(o)T2re_i)b4 - T2rg^-i^bl, (10) 

(-a0,l'^2 + t(o)T2re_2)t>4 - T2re,2t>6, (11) 

{ae.iT2 + id(i)T2re i)b4 - T2rg ib^, (12) 

(-ae,iT"2 + t(i)r2r^'_2)b4 - T2r'l2b*e, (13) 



as its component in the span of b|,b5,bg respectively. To respond to the remaining key queries, 
simply runs the normal key generation algorithm. 

At some point, A sends Bq„^ +g„2 +i,«2 two challenge pairs (id(o) , t^g^ , m^^^ ) and (id(i) , t^^^ , m^^j ). Bq^^ +g„2 +i,«2 
chooses a random bit /? e {0, 1} and encrypts m*^j under (id*^),t*^^) as follows: 

C := m^^) . {e{U^,g^'^)y = m^^^ • {g^y, Co := t/i(C/2)"'<« (C/a)*'^ , 

where has impUcitly set z := i^i. The "semi-functional part" of the exponent vector here is: 

/i2b4 -I- id(^)/i2b5 + t*^)/i2b6. (14) 

We observe that ((C, Co), Kjd'^^.e, Kt*^^.e) would result in a nominally semi-functional ciphertext and key pair of 
Type 11. It gives the ciphertext (C, Co) to A. 
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Since the adversary A is only allowed to query one of the following sets for the challenge identities and times: 

0: {id(o)}, {id(i)}, {t(o)}, {t(i)}, {id(o),id(i)}, {t(o),t^i)}, 
{id(o),t*i)}, {id*i),t*Q)}, 

we now argue that in ^'s view the given vectors [TO] (TT] [12] [13] and [14] are distributed as random vectors in the 
spans of d4,dg,dg and d4,d5,dg respectively. To see this, we take the coefficients of vectors [TO] [TTl [T2l [T3] and 
[14] in terms of the bases b|, bg, bg and b4, bg, bg respectively and translate them into coefficients in terms of the 
bases d|, dg, dg and d4, ds, dg. Using the change of basis matrix A and statistical indistinguishability lemmas, we 
obtain new random coefficients (in vector form), which are summarized in the following Table: 



Case 


Type of Adversary 


New Coefficients 


1 





M2A-i(i,id*^),t*^)r 


2 




M2A-i(l,id*^j,t^^jr 
A^ia'l^T2 + id'ojrar^ -rar^ 1, Of 


3 




M2A-l{l,id*^),t*^)r 


4 


{*(())} 


M2A-i(l,id*^),t*^jr 
(-"S,1^2 + t*o)T2r^_2, 0, -T2r'g 2Y 


5 


{t*i)} 


M2A-i(i,id*^),t*^)r 

A^ i~a'l^T2 + t*i^r2r^'^2' 0, -r2r-^',2r 


6 


{id*oj,id*^j} 


M2A-l(l,id*^),t*^)f 

+ id*o)r2r^ -r2r^ 1, of 
A^{a'l-^T2 + id*^^^T2r'l-^,-T2r'l^,0Y 


7 




M2A-l(l,id^^),t*^,r 
(-"s,i^2 + t*o)r2r^_2, 0, -T2r^ 2^ 
A^ (-<iT2 + tl^T2T'l^, 0, -r2r;,' 2^ 


8 


{id(0)'t(i)} 


M2A-i{l,id^^),t*^jr 
A^(a;; ^r2 + id^o)T2r^ -r2r^ J, Of 
A^ (-a'g'^iTa + t^ijTar^' 2, 0, -r2r^',2r 


9 


{id(i),t^O)} 


M2A-i{l,id*^),t*^jr 
ATK'_ir2 + idl)T2r'l^,-T2r'l-,,0y 
A^ (-Q'a'^iTa + t*,)r2r^_2' 0. -^2r-^,2r 



Since the distribution of everything given to A except for the coefficients of the vectors in above Table is independent 
of the random matrix A, we can conclude that these coefficients are uniformly except with probability 

• 2/q, namely except for the cases: 

- fi2 defined in Subspace problem is zero, 

- (x4 , X5 ; X6 ) defined in Equation [3] the zero vector, 
from Lemma [2] for Case 1 . 

• 4/(7, namely except for the cases: 
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- /i2 or T2 defined in Subspace problem is zero, 

- (X4,X5,X6) or (i^e,4,i,t^e,5,i,i^e,6,i) or (i^e,4,2, ^^0,5,2, 1^6,6,2) defined in Equations [3] [T] and |2] is the zero 
vector, 

from Lemma |3] for Cases 2-5, since ^ is randomly picked from Zg. 
• 6/q, namely except for the cases: 

- fi2 or T2 defined in Subspace problem is zero, 

- (X4,X5,X6) or (i'e,4,i,i'e,5,i)^«,6,i) or (^'e,4,2, t'e, 5,2, 1^0,6,2) defined in Equations [3] [T] and |2] is the zero 
vector, 

- ('^e,4.i7 '^e.s.i: ^^9.6,1) {1^9.4,2, 1^0.5,2, 1^8,6,2) defined in Equations [1] and |2] are linearly dependent, 
from Lemma|2]for Cases 6-9, since a'g is randomly picked from Zg and the coefficients of vectors [TOl fTTl fT2l [T3] 
are linearly independent. 

Thus, -Bg^^+g^^^+i.Ka has properly simulated Gameq^^+q^^+i^K^ in this case. 

If Ti,T2,T3 are equal to 32 ''^ j 52 '^^ > 32 ''^ ' '^^e coefficients of the vector [14] are uniformly except with 
probability 2/q (namely, the cases 112 defined in Subspace problem is zero, (x4jX5jX6) defined in Equations |3] is 
the zero vector) from Lemma|2] Thus, Bg„^+g„^+i_K2 has properly simulated Gameg^^+g,^^+i^K2-i in this case. 

In summary, 'Bgjj^+^^^ -1-1^^2 has properly simulated either Gameq^^-i-gj^^+i^Kg— 1 or Gameg^^+g^^+i^K2 for 
depending on the distribution of Ti,T2,T3. It can therefore leverage ^'s advantage e between these games to 
obtain an advantage e + | against the Subspace assumption in G2, namely Advg^^ (A) = e + |. ■ 

Lemma 9. For any adversary A, AdvJ'"'''"^ (A) < Adv^"""^'""' (A) + i. 

Proof: To prove this lemma, we show the joint distributions of 

(PP. ^^U,, ' {SKlfP W[,„J, {KUf 

in Game,y and that of 

(PP,CTL^i,t<.,aSK||;)}.e[,„,],{KUf)},e[,„,]) 

in Gamepinai are equivalent for the adversary's view, where CTj^^^^ ^^^^ is a semi-functional encryption of a random 
message in Gt and under a random identity id(R) in Zg and a random time t^pj in Zg. 

For this purpose, we pick A :— Zg^'^ and define new dual orthonormal bases F := (fi, . . . jfe), and 
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F* := (fi*,...,f6*) as follows: 

f2 
f3 
U 

fs 

/ f * \ 



/ 1 




6,1 





1 



6,2 
6,2 



\ 





1 
10 
1 



/ 1 

1 



1 

6,3 
6,3 
6,3 

-6,1 

-6,2 



1 -a,. 









-6,1 

—6,2 
— 6,3 



1 





-6,1 

—6,2 
—6,3 




1 



d2 
d,3 
d4 

V ^6 / 



di 
dS 



d5 

Vd^y 



It is easy to verify that F and F* are also dual orthonormal, and are distributed the same as D and D*. 

Then the public parameters, challenge ciphertext, queried private keys and key updates in Gameg„^+5„^+i,4jv„ 
are expressed over bases D and ID* as 

PP := {G;g^,gf\gf^gf'}, 

z(di+idd2+td3)+X4d4+X5d5+X6d6 



CT(|f^=<;C:=m.(5?r, Q := 5^ 



idc)d*- 



d2+'^e,4,id4+ye,5,id:+i/e, 



KU^f^ := {{e,K 



(SF) (as, 2+re, 2tf )d*-r9,2d3 +1^6,4, 2d4 +1/9,5, gdj+i^e, 6 



•— 92 

Then we can express them over bases F and F* as 

PP := {<G;g^,gl\g{\gl'}, 



6lePath(i;<.) 



6leKUNodes(BT,RL,t«) ^ e^[g^ 



CT(SF) . J ^ („0^\Z r z[fi+z'2f2+z'^f3+X4.U+X5h+X6^6 1 



(ae,i+i-9,iid^)f*-re,ifJ+i/9_4,ifX+i/9,5,if5+'^e,6,if6 
52 



)} 



f[^l|(SF) r/^ K^^"^^ ._ ("e,2+re,2t«)f*-re,2f3+!/e,4,2f4*+'^9,5,2f5*+''e,6,2f6*\ I 



6leKUNodes(BT,RL,t<) 
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where 

4 — ^t(,3) - X46,3 - X56,3 - X66,3 



for Q e Path(t'£),^ e [(7„J, 



^e,4,2 ^^9,4.2 + 6,1 ("e, 2 + ?'e,2tf) - ''61,26.3, 
^e,5,2 ■= ^e,5,2 + 6,1 ("e, 2 + "re^-i^i) - re_2C2,3, 
^e,6,2 ■= ^e,6,2 + 6,1 ("e, 2 + ''e,2t£) - ''9^26,3 
for G KUNodes(BT, RL, t^),^ e ['Zn2]' which are all uniformly distributed if (X4,X5,X6) defined in Equation|3] 
is a non-zero vector since 

{6j}iG[3],iG[3], 

{{'^e,4,2i^e,5,2,l'e,6,2}egKUNodes(BT,RL,t,)}^e[</-2] 

are all uniformly picked from Zg. 

In other words, the coefficients (z, zid(^), zt*^^) of di,d2,d3 in the Cq term of the challenge ciphertext is 
changed to random coefficients {z\, z^-, 4) G x x Zg of fi, £2, £3, thus the challenge ciphertext can be viewed 
as a semi-functional encryption of a random message in Gt and under a random identity in Z^ and a random time 
in Zq. Moreover, it is not difficult to check that all other coefficients are well distributed. Thus 

expressed over bases F and F* is properly distributed as 

(PP>CT|,^i,,t<.,>{SK|frW[,„J,{KUf)W[,„^]) 

in GameFma;- 

In the adversary's view, both (B, ©*) and (F, F*) are consistent with the same public key. Therefore, the challenge 
ciphertext and queried secret keys above can be expressed as keys and ciphertext in two ways, in Game^ over 
bases (D,D*) and in GameFma/ over bases (F,F*). Thus, Gameq^^-|_g^^+i_4Ar^^^ and GameFina/ are statistically 
indistinguishable. ■ 
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Lemma 10. For any adversary A Adv^^'"*^*"'" (A) = 0. 

Proof: The value of j3 is independent from the adversary's view in GameFmai- Hence, Adv^"'""^'""' (A) = 0. 

■ 

In GameFiriai, the challenge ciphertext is a semi-functional encryption of a random message in Gt and under 
a random identity in Zg and a random time in Zg, independent of the two messages, the challenge identities, and 
times provided by A. Thus, our RIBE scheme is adaptively secure and anonymous. ■ 

V. Construction from DLIN 
We use the same binary tree structure mentioned in previous section in our second construction. 

A. Our Scheme 

Here we provide our second construction of RIBE under the DLIN assumption. Our RIBE scheme is specified 
as follows: 

• Setup(A, Njnax) On input a security parameter A, a maximal number N^ax of users and generate a synmietric 
bilinear pairing G := {q, G, Gt, 9, e) for sufficiently large prime order q. Next perform the following steps: 

1) Let RL be an empty set and BT be a binary-tree with at least N^ax leaf nodes, set ST = BT. 

2) Sample random dual orthonormal bases, (D, P*) Dual(Z^). Let di, . . . , dg denote the elements of 
P and d|, . . . ,d9 denote the elements of W. It also picks a <-r Zg and computes gff := e{g,g)"'^^''^K 

3) Output RL, ST, the public parameters 

PP:= {G;5f, 

and the master key M K 

MK:={a,/s...,/6}. 

• PriKeyGen(PP, MK,id, RL,ST) On input the public parameters PP, the master key MK, an identity id, the 
revocation Ust RL, and the state ST, it picks an unassigned leaf node v from BT and stores id in that node. 
It then performs the following steps: 

1) For any 9 G Path(t;), if ae^i, ag^2, Oie,3 are undefined, then pick ae^i, ae^a r Zg, set a$^2 = ct — cte^i, 
and store them in node 9. Pick ro^i,r0^s r Zg and compute 

„ „{cee,i+re,iid)dl-re,id2+{ae,3+re,3id)d2-re,3dl 

'^ia,S • — y 

2) Output SKid {{6, Kid,e)}eePath(t,), ST. 

• KeyUpd(PP, MK, t, RL, ST) On input the public parameters PP, the master key MK, a time t, the revocation 
list RL, and the state ST, it performs the following steps: 

1) V0 G KUNodes(BT, RL, t), if ae.i, ae,2, ae.s are undefined, then pick ae,i,Q;e,3 ■^r ^g. set a0^2 = 
o. — ae.i. and store them in node 9. Pick rg^2,rg^4 -^r Zg and compute 

._ „(a;9,2+rs,2t)dJ-r9,2ci3 + (-a;9,3+re,4t)d4-re,4d6 
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2) Output KUt := {{t,9,Kt,e)}ee KUNodes(BT,RL,t)- 
> DecKeyGen(SKi(j, KUt) On input a private secret key SKjd :— {{i, Kid,i)}iei, KUt '■— {{j, Ktj)}jgj for some 
set of nodes I, J, it runs the following steps: 

1) V(i, Kid,,) e SKid, (i, Ktj) e KUt, if j) s.t. i = j then DKid.t ^ (Kid.,, Ktj); else (if SKid and KUt 
do not have any node in common) DKid,t <— -L- 

2) Output DKid.t- 

• Enc(PP; id, t, m) On input the public parameters PP, an identity id, a time t G Z^, and a message m, it picks 
zi , Z2 and forms the ciphertext as 

CTid,t |c m • {grT^Co g^i(di+idd2+td3)+z2(d4+idd5+tds) |_ 

• Dec(PP, DKid,t, CTid,t) On input the public parameters PP, a decryption key DKid.t := (Kid.e, Kt.e), and a 
ciphertext CTjd.t ■— (C, Cq), it computes the message as 

m := C/ (e(Co, Kid.e) • e(Co, Kt.e)) . 

• KeyRev(id, t, RL, ST) On input an identity id, a time t, the revocation list RL, and the state ST, the algorithm 
adds (id,t) to RL for all nodes i/ associated with identity id and returns RL. 

Correctness. Observe that 

e(Co, Kid,e) 

_ g^gZi(di+idd2+td3)+2;2(d4+idd5+td6) ^(ae.i iid)d* -r(,_id* + (cte_3+re,3id)d* -r^ ^d* -j 
_ e(.g g^"e,i^idi-d*+Qe,3Z2d4-d4 

Similarly, e(Co, Kt,e) = e{g, g)°'<''^''^'^^<~°'0-'>^^'^*< . Then 

e(Ci, Kid,e) • e(Ci, Kt,e) 

_ ^■jQe,i^idi-di+ae.3Z2d4-d4 ^ ^•jQ8_2Zidi-d*-ae,3Z2d4-d4 
(a£).i+a£),2)zi 

— 9t 

= {grr- 

B. Proof of Security 

We show the RIBE scheme is secure by the following theorem, the proof techniques are essentially the same as 



those for Theorem [T] except that we use the DLIN-based Subspace assumption of Olal . 



Theorem 2. The RIBE scheme is adoptively secure and anonymous under the DLIN assumption. More precisely. 
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for any adversary A against the RIBE scheme, there exist probabilistic algorithms 

Bo, 

{Bk.i.K.2 }Kl = l,...,g„i ,K2 = l,...,riog N^ax] ' 
{^Kl,K2 }Kl=g„j +l,...,q„j^+g„2+l,K2 = l,---,-'VmarE J 

{^<;„i+<?„2+i'«2}ft2=i,...,47V„„, 
whose running times are essentially the same as that of A, such that 

4i^„, DUN /\N , 6(g„i [logTVmax] + gn2-^max) + 32A^„aj, + 6 

+ > AciVh (Ah 

K2 = l 

where i 9n2 — 4 the maximum number of A's private key and key update queries respectively. 

VI. Conclusions 

In this paper, we presented two efficient RIBE schemes under the SXDH and the DLIN assumptions, respectively, 
which overcome the existing problem of increasing sizes of public parameters. In comparison with the existing 



schemes of I 



2111 . our RIBE schemes are adaptively secure, anonymous and have constant-size public parameters. 



although they have larger sizes of keys and ciphertexts. Our RIBE schemes can be extended very naturally to 



obtain revocable IPE schemes with weakly attribute-hiding \2A 



2611 . Also our techniques can be applied to a more 



generally setting, for example, the ABE schemes of 1.26.1 to obtain adaptively secure revocable ABE schemes. 
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